CCP and Zone-based firewall: Editing FW policy issuee

Unanswered Question


I have a customer who really liked to use GUI to configure (manage ACL, Firewall policy) his Cisco devices (mainly routers).

Using the last version of CCÅ (2.3) I think there is an issue regarding the edition of firewall policy when you use ACL in the class map. The entry in the firewall policy appears as read-only. It is a shame because I cannot configure Zone-based firewall at my customer because he wouldn't be able to edit the Zone-based policies through CCP!

Working find with CBAC!

Anyone has seen this issue before?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Kevin Redmon Tue, 09/21/2010 - 07:33
User Badges:
  • Cisco Employee,

Is there anything that is especially unique about these policy's access-lists versus others?  Are you able to modify other firewall policy/access-lists without issue?

Were the policies originally configured via CCP or via CLI?  If you configured them via CLI, how difficult would it be for you to configure via CCP?  There are certain values/fields that are used within the CLI textual output that CCP relies on to populate the GUI options.  If these fields are missing, this can make it impossible to edit the firewall policy via CCP.

If your client intends to make ongoing configuration changes leveraging CCP, it is advised to make all configuration changes via CCP.

Let me know if that helps.

Best Regards,


Hi Kevin,

Thanks for your post. I have tried different scenario and the issue happens with self zone configuration only.

If you configure the other zones in CLI you can edit edit then without problem in GUI. But with the self zone, if you have configured Zone-based policies with CLI you cannot edit it with the GUI as it is read-only.

I don't know if you have the possibilty to test that. It is a shame because it could have been nice to have the possibilty to edit the OUT-TO-SELF and SELF-TO-OUT FW policy wiht the GUI.



chaitram Tue, 09/28/2010 - 23:49
User Badges:


Can you share the running configuratoin of your router please? Will try to take a look on what could be the cause of the problem. I am assuming you are using Cisco Configuration Professional Version 2.3.



Panos Kampanakis Thu, 10/07/2010 - 12:52
User Badges:
  • Cisco Employee,

Please open a case with TAC to have them look at it. They should be able to chase it down.

I hope it helps.




This Discussion